IPsec VPN for non-technical Windows users

Hi, folks. Apologies if this is an oft-repeated question, but I'm looking for a replacement for our current PPTP VPN setup (an old Watchguard), and the best (perhaps only) thing on that is the "client-less" VPN. That means users can pretty much get connected without any downloads or help - they just need the URL and credentials.

I've seen tutorials for pfSense IPsec setups, but they all seem to required installing a VPN client, and then changing a LOT of the options in it - that's not something easily sold to users, who might have to do all this themselves remotely.

How easy is it to get pfSense IPsec setup in such a way that the Windows VPN connections "just work" with the default settings?

Feel free to complain to MS. Native != easy/good/user friendly. On that note L2TP/IPsec is not implemented anyway, so you'd need a third-party client regardless. With OVPN client export package, the whole "effort" is limited to clicking Next a couple of times.

We don't load a bunch of crap on our corporate laptops, and I have to support real users that have no idea what they're doing. It's an unfortunate truth of dealing with non-technical staff that have to occasionally connect from home. I "insist on a native VPN client" support because the most widely used client OS has one (I assume the others too), and seems not totally ridiculous to think maybe it's in some people's interest to support it.

Built-in VPN has worked for years for us with PPTP, so it seemed a reasonable question to ask.

I'll look at the OVPN again, if that's what it takes.

The whole "zomg M$$ can't be trusted" thing is getting a bit old now too.

The Shrew Soft client is even more difficult to work with than OpenVPN in most ways. With OpenVPN you can export a client configuration right from pfSense and be running in a couple minutes. With Shrew Soft it's all manual config (you can save it and import it to other clients later, but still a lot of manual work).

OpenVPN sounds like just the ticket then. Thanks for all the info folks, even if some of it seems to presented in a somewhat aggressive manner. Not sure if I have taken the wrong pill in the past, but a few chill-pills wouldn't go amiss today, that's for sure.

The Shrew Soft client is even more difficult to work with than OpenVPN in most ways. With OpenVPN you can export a client configuration right from pfSense and be running in a couple minutes. With Shrew Soft it's all manual config (you can save it and import it to other clients later, but still a lot of manual work).

Yeah, I just wasted a day with configuring that thing… It works. Between exactly defined sites A and B. Explicitely said in the contract that there is absolutely no guarantee it's gonna work elsewhere, not that it will work once they've reconfigured their routers, DNS, CAs or anything else in any way.

The Shrew Soft client is even more difficult to work with than OpenVPN in most ways. With OpenVPN you can export a client configuration right from pfSense and be running in a couple minutes. With Shrew Soft it's all manual config (you can save it and import it to other clients later, but still a lot of manual work).

Yeah, I just wasted a day with configuring that thing… It works. Between exactly defined sites A and B. Explicitely said in the contract that there is absolutely no guarantee it's gonna work elsewhere, not that it will work once they've reconfigured their routers, DNS, CAs or anything else in any way.

Using Shrew Soft is better these days now that we do support pushing settings to IPsec using mod cfg. It's not quite that dire in most cases now. It used to be absolutely horrible to use (not Shrew Soft's fault at the time, but our lack of auto support). Now with the right settings on both ends it's tolerable, but still quite a ways behind OpenVPN in practically every way.

There are only two good reasons to run the VPNs built into Microsoft vs. Openvpn.
1. So much legacy infrastructure and legacy clients thats all you can support reliable/universally. Not often the case.
2. The Admin is a moron. Happens alot.

To play devil's advocate wrt "native" MS VPN, what about using GPO to provision VPN client settings ?

pfSense supports IPsec IKEv1 using the standard "ipsec-tools" package (also used by most Linux distros)

Windows prior to 7 wants L2TP/IPsec, not plain IPsec IKEv1. That does not work with pfSense.
Windows 7 and later actually has native IPsec but uses IKEv2 (not IKEv1). Which again does not work with pfSense.

Okay, that all seemed easy enough to get set up - my client is connected. Am I correct in thinking that the rule created by the OpenVPN wizard (looks like a * * * * * * allow-all rule) should mean that anyone connecting via the VPN has access to everything?

The client needs to run as Administrator (unless you're using the openvpnmanager gui running it as a service) or it can't add routes.

To make sure you're actually pushing routes to the client, ensure you have the "local network" box filled in, or that you have the option set to redirect the client gateway so that all traffic goes over the tunnel.

If its not windows XP, you need to right click the install file and "run as admin" otherwise you get connected but won't route you anywhere.
If you didn't install it as admin, easy fix is uninstall it, then reinstall (Run as admin this time).

Occasionally you get an issue where you have to allow it in your firewall rules on a windows box, depending on the firewall.